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Our motivation here is not to 
provide anonymous 
communication, but to separate 
identification from routing.” 

. “Proxies for anonymous routing”. Reed, 
Syverson, and Goldschlag. ACSAC 1996 



A Motivational Use Case Example 


. Navy Petty Officer Alice is temporarily in 
Repressia 
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A Motivational Use Case Example 


. Safe back in her room at the Repressia 
Grand Hotel, PO Alice wants to read and/or 
post to sealiftcommand.com 
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NEWS AND ANNOUNCEMENTS 


Military Sealift Command Accepts Navy’s Newest Ship, USNS William McLean 

SAN DIEGO (NNS) — Military Sealift Command accepted delivery of dry cargo/ammunition ship USNS William 
McLean (T-AKE 12) during a ceremony at the General Dynamics NASSCO shipyard in San Diego Sept. 28. 
The 689-foot long McLean, designated T-AKE 12, is the 12th of 14 new Read More -► 
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A Motivational Use Case Example 



Navy PO Alice 
in her hotel 
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A Motivational Use Case Example 


. Safe back in her room at the Repressia 
Grand Hotel, PO Alice wants to read and/or 
post to sealiftcommand.com 

1 . The site is blocked where she is deployed 

2. The Internet is monitored where she is deployed 
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Connecting when overseas 



in her hotel 


► 



Contacted: 

sealiftcommand.com 

12/06/2011, 9PM, 

20 min, encrypted 



Connecting when overseas 



in her hotel 


► 



Contacted: 

sealiftcommand.com 

12/06/2011, 9PM, 

20 min, encrypted 
Rm: 416 
Ckout on: 


12/10/2011 



Security of operations concern as 
well as personnel security concern 



Navy PO Alice 
in her hotel 


► 



Contacted: 

nrl.navy.mil 



11/08/2011, 9PM, 
20 min, encrypted 


Rm: 416 
Ckout on: 


11/10/2011 



Some more government uses 


. Open source intelligence gathering 

. Sensitive communications with untrusted/ 
untrusting parties 

. Encouraging open communications with 
citizens 

. Location protected servers for defense in 
depth 

. Protecting the public infrastructure 

- Interacting with network sensors 



Ordinary citizen Alice 

. Protecting her behavior from: 

. Cyberstalking abusive ex-spouse 

. Behavior tracking and DNS shenanigans from 
her ISP 

. Misunderstanding from her employer when she 
investigates disease info for an ailing friend 

. Harassment for blogging her views 
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#USA 

TODAY 

Facebook protest 
forces Israeli cheese 
price cuts 

Posted 6/30/2011 9:29:01 AM | 

JERUSALEM (AP) — A high-profile Facebook 
protest has scored a victory for consumers 
in Israel: Their threats of a boycott have 
forced dairy manufacturers to lower the 
price of cottage cheese by some 25%. 

The two-week campaign drew more than 
105,000 people to join a Facebook group 
vowing to boycott the Israeli staple until 
prices dropped. The campaign has touched 
a nerve among Israelis concerned about 
rising prices and eroding salaries. 


spread to other fields: the price of gasoline, 
which is now over $8 a gallon, and other f 
ood products have recently skyrocketed as 
well. 

It also has highlighted the power of social 
media outlets in sparking change, with some 
comparing it to the revolutions taking place 
elsewhere in the Middle East. 

"True, this is not Tahrir Square yet, the 
cottage cheese rebellion did not require us 
to take any real action, just to press 'like' and 
skip the cottage cheese shelf in the 
supermarket," columnist Ben Caspit wrote in 
the Maariv daily, referring to the square that 
was the epicenter of the Egyptian uprising. 
"This was inaction, not action, and it 
demanded no real sacrifice." 

The Facebook page of the cottage cheese 
boycott identifies organizers as regular 
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Freedom of speech? ... 
better ask your boss 

The First Amendment takes on a different role when 
applied to the workplace 

By GARY HABER The News Journal 


Convinced you have freedom of 
speech at work? Think again. 

Maybe you should ask the 
AstraZeneca pharmaceutical sales 
manager fired earlier this month for 
comments he reportedly made in a 
company newsletter comparing 
physicians' offices to "a big bucket of 
money." 

Or, the Utah Web designer fired for 
observations about her job she posted 
on her personal blog. 


The News 
Journal/ HOWARD 
JOHNSON 


Or, former Philadelphia Eagles wide receiver Terrell Owens, whose 
pointed criticism of the team and its quarterback got him 
suspended in 2005. 

Thp Fir<;t Ampmimpnt pvnprt*; arp murk tn nnint nnt rir^PQn't 
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Ordinary citizen Alice 

. Protecting her behavior from: 

. Cyberstalking abusive ex-spouse 

. Behavior tracking and DNS shenanigans from 
her ISP 

. Misunderstanding from her employer when she 
investigates disease info for an ailing friend 

. Harassment for blogging her views 
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Ordinary citizen Alice 


. Protecting her behavior from: 

. Cyberstalking abusive ex-spouse 

. Behavior tracking and DNS shenanigans from 
her ISP 

. Misunderstanding from her employer when she 
investigates disease info for an ailing friend 

. Harassment for blogging her views 

. Malicious parties watching her log into Club 
Penguin (and watching her mom logged into 
twitter from work) 

. Spear phishers watching her log into her bank 



Officer Alice 


. Setting up a sting operation: 

- as a collaborator 

- as a service provider 

. Monitoring criminal activity online 
. Encouraging anonymous tips 



Researcher/Reporter/Rights Worker 

Alice 

. Gathering information while protecting 
sources 

. Accessing information that is locally 
censored or monitored 

. Reporting information that is locally censored 
or monitored 
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Corporation Alice 


. Investigating competitors’ public sites 

. Avoiding leaking strategy or nonpublic 
information 

. Protecting customers 

- spearphishing 

- attacks or selective service disruption 

- privacy sensitivity 



Aside: some other benefits of an 
anonymity system 

. Besides protecting affiliation, etc. can provide 
“poor man’s VPN”. Access to the internet 
despite 

• Network port policy disconnects 

• DNS failure 
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You can't be anonymous by yourself: 
private solutions are ineffective... 
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... so, anonymity loves company! 



“??? 

• • • 


yy 


“??? 

• • • 


yy 


“??? 

• • • 


yy 
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The simplest designs use a single 
relay to hide connections. 





But an attacker who sees Alice 
can see who she's talking to. 




Bobl 


Bob2 


Bob3 



Add encryption to stop attackers 
who eavesdrop on Alice. 



(e.g.: some commercial proxy providers, Anonymizer) 



But a single relay is a single point 
of failure. 
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But a single relay is a single point 
of bypass. 


Alice 1 


Alice2 


Alice3 



Timing analysis bridges all connections 
through relay => An attractive fat target 



Low-latency systems are vulnerable 
to end-to-end correlation attacks. 


Low-latency: Alicel sends: 

Bob2 gets: 

Alice2 sends: 
Bobl gets: 

High-latency: Alicel sends: 

Alice2 sends: 

Bobl gets: 
Bob2 gets: 




match! 


match! 

► 




These attacks work in practice. The obvious defenses 
are expensive (like high-latency), useless, or both. 


29 



But a single relay is a single point 
of bypass. 


Alice 1 


Alice2 


Alice3 



Timing analysis bridges all connections 
through relay => An attractive fat target 



So, add multiple relays so that 
no single one can betray Alice. 



R2 
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A corrupt first hop can tell that Alice is 
talking, but not to whom. 



R2 
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A corrupt last hop can tell someone is 
talking to Bob, but not who. 



R2 
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How onion routing works: 

Alice makes a session key with R1 



R4 


R5 


R2 
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Alice makes a session key with R1 
...And then tunnels to R2 
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Alice makes a session key with R1 
...And then tunnels to R2...and to R3 
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Alice makes a session key with R1 
...And then tunnels to R2...and to R3 
Then talks to Bob over circuit 




Feasible because onion routing uses (expensive) 
public-key crypto just to build circuits, then uses 
(cheaper) symmetric-key crypto to pass data 
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Can multiplex many connections 
through the encrypted circuit 
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What onion routing is not: Crowds 


. Public-key based circuit building means 

• Forward security 

• Better practical scalability 

• Less centralized trust 

. Multiply encrypted circuits means 

• less risk of route capture 

• smaller profiling threat (also from shorter circuit 
duration) 

• security not dependent on hiding path position 

• able to support multiple applications/application 
encryption options 



Mix networks vs. Onion routing 
networks 


Low-latency: 



High-latency: 



Alicel sends: 
Bob2 gets: 

Alice2 sends: 
Bobl gets: 

Alicel sends: 
Alice2 sends: 

Bobl gets: 
Bob2 gets: 



match! 


► 

■ ■ ■■ ■■ ^ 

■ ■ ■ ■ ■■ match! 





► 
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message 1 

message 2 
message 3 

message 4 


Randomly permutes and decrypts inputs 



What onion routing is NOT: Mixes 


. Entirely different threat model 

• mixes are based on an adversary not being able to correlate 
inputs and outputs he sees 

• onion routing is based on an adversary not being able to see 
both inputs and outputs to correlate 

• mix networks more secure against global passive adversary 

• mix networks can be less secure vs. local active adversary 

. Entirely different communications paradigm: Circuit 
based encryption vs. per message 

• onion routing supports bidirectional communication 

• onion routing supports low-latency communication 

. Can be combined to make mixing onion routers, but 
not typically done or desired 
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What onion routing is 


. Uses expensive crypto (public-key) to lay a 
cryptographic circuit over which data is 
passed 

. Typically uses free-route circuit building to 
make location of circuit endpoints 
unpredictable 
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Why call it “onion routing”? 

Answer: Because of the original key 
distribution data structure 
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. Onion: Just layers of public-key crypto 

• Nothing in the center, just another layer 
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. Onion: Just layers of public-key crypto 

• Nothing in the center, just another layer 



Circuit setup 



. NRL vO and vl onion routing and also ZKS 
Freedom network used onions to build circuits 

• Lacked Forward Secrecy 

• Required storing record of onions against replay 

. Tor (NRL v2) uses one layer “onion skins” 

• ephemeral Diffie-Hellman yields forward secrecy 

• No need to record processed onions against replay 

• From suggestion out of Zack Brown’s Cebolla 



Aside: Why is it called Tor and 
what does ‘Tor’ mean? 

. Frequent question to Roger c. 2001-2: Oh 
you’re working on onion routing... which one? 

. Roger: THE onion routing. The original onion 
routing project from NRL. 

. Rachel: That’s a good acronym. 

. Roger: And it’s a good recursive acronym. 

. Plus, as a word, it has a good meaning in 
German (door/gate/portal) and Turkish (fine- 
meshed net) 



Aside: Why is it called Tor’ and 
what does ‘Tor’ mean? 

. We foolishly called the first Tor paper “Tor: 
the second generation onion router” 

. But this was very confusing 

• ‘Tor’ stands for “The onion routing” or “Tor’s onion 
routing”. It does not stand for “the onion router” 

• The paper is about the whole system, not just the 
onion routers 

• Tor is not the second generation 
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Aside: Why is it called Tor’ and 
what does ‘Tor’ mean? 

.Tor: A (class of) onion routing design created 
at NRL starting c. 2001-2. 

. Tor: A U.S. 501 (c)3 nonprofit organization 
formed in 2006. 

.Tor: A client software program that connects 
your computer to the Tor network. 

. Tor: A volunteer network comprised of c. 3000 
nodes serving c. 1 GiB/s data for c. 500K-1M 
users (see metrics.torproject.org ) 

. Any amorphous combination of the above or 
other users 
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Aside: Why is it called Tor’ and 
what does ‘Tor’ mean? 
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Onion routing origins: Generation 0 


. Fixed-length five-node circuits 
. Integrated configuration 
. Static topology 
. Loose-source routing 

* Partial active adversary 

. Rendezvous servers and reply onions 
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Onion routing, the next generation 


* Running a client separated from running an OR 

. Variable length circuits (up to 1 1 hops per onion — or 
tunnel for more) 

. Application independent proxies (SOCKS) plus 
redirector 

* Entry policies and exit policies 

. Dynamic network state, flat distribution of state info 

. Multiplexing of multiple application connections in 
single onion routing circuit 

. Mixing of cells from different circuits 

. Padding and bandwidth limiting 



Third-generation onion routing 
(Tor) 

* Onion skins, not onions: Diffie-Hellman based 
circuit building 

. Fixed-length three-hop circuits 

. Rendezvous circuits and hidden servers 

. Directory servers, caching (evolved w/in Tor) 

. Most application specific proxies no longer 
needed (still need e.g. for DNS) 

. Congestion control 

. End-to-end integrity checking 

. No mixing and no padding 
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Circuit setup 



. NRL vO and vl onion routing and also ZKS 
Freedom network used onions to build circuits 

• Lacked Forward Secrecy 

• Required storing record of onions against replay 

. Tor (NRL v2) uses one layer “onion skins” 

• ephemeral Diffie-Hellman yields forward secrecy 

• No need to record processed onions against replay 

• From suggestion out of Zack Brown’s Cebolla 



Tor Circuit Setup (Create) 



L 






Tor Circuit Setup (Create) 
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Tor Circuit Setup (Extend) 




Client 

Initiator 



OR2, 



- LJ , Hash(- 

u ) 







3 

Hash(-* J ) 
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Tor Circuit Setup (Begin) and 
Data Flow 



Client 

Initiator 


Connect 




Reply 
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OR1 




OR2 






More on Tor circuit establishment 


Designing your own authentication protocol is error 
prone. Why not use an established protocol? 

Answer: To fit whole messages inside Tor cells. A 
public key and a signature don’t both fit in one 512-byte 
cell. 

Protocol was verified using the NRL protocol analyzer 
in the Dolev-Yao model. 

In 2005 Ian Goldberg found flaw in the way Tor 
implemented this protocol (checking that a public value 
was not based on a weak key). 

In 2006 Ian proved the (properly implemented) protocol 
secure in the random oracle model. 



Circuit establishment efficiency 


. I and others have proposed protocols to 
reduce the public-key overhead of circuit 
establishment. 

. Interesting refinements on forward secrecy, 
but these need more study (and proofs!) 
before adoption 


. Next question: How do we know where to 
build a circuit? 



How do we know where to build a 
circuit? Network discovery. 

. Flat flooding of network state: complex, 
tricky, scales in principal but ? 

. Tor has a directory system 

. Originally a single directory signing 
information about network nodes. Then a 
multiple redundant directory with mirrors. 
Then a majority vote system. Then a 
consensus document system. Then separate 
things that need to be signed and updated 
frequently. Then... 



Onion routing was invented to 
separate identification from routing 

. What if onion-routing-network-user is the 
identification you want to avoid? 

. Bridges are proxies into the Tor network that are 
not publicly listed. 

. Tricky to get bridge info out to potential users 
without giving it to the network blockers. 

. See https://blog.torproject.org/blog/research- 
problems-ten-ways-discover-tor-bridges 

. Can also use Telex, Decoy Routing, Cirripede, 
etc. to inband signal redirection of a cover 
destination into Tor. 
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What if adversary owns a botnet 
or has nation level resources? 

. Consumer Alice, abuse/disease victim Alice, 
local law enforcement Alice, etc. probably OK 

. Intelligence analyst Alice, DoD road warrior 
Alice, etc. ? 
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First-Last Correlation Problem 



What? 

. Adversary observes first and last routers. 

. Traffic patterns link first and last routers. 

Why? 

. Attack completely breaks anon regardless of number^ of users . 

. Attack possible with moderate resources. 

- 17MB/s compromises random 1% of current Tor users 
(100 or so home Internet accounts needed for attack) 

. Padding, etc. too expensive and will never work anyway. 



Key Idea: Trust 

. Users may know how likely a router is to be 
under observation. 

Tor Routers with Possible Trust Factors 


Name 

Hostname 

Bandwidth 

Uptime 

Location 

Tor version 

OS 

moria 

nexico.ediscom.de 

4 KB/s 

67 days 

Germany 

0.2.1.26 

Linux 

Republic 

xvm-107.mit.edu 

121 KB/s 

49 days 

USA 

0.2.1.29 

Linux 

Unnamed 

static- 

ip-166-154-142-114. 

rev.dyxnet.com 

58 KB/s 

58 days 

Hong 

Kong 

0.2.1.29 

Windows 
Server 
2003 SP2 


Source: http://torstatus. blutmagie. de, 1 0/1 2/20 1 1 
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Basic Adversary Model 


Users 



Routers R 




Adversary A 


Destinations 
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Basic Trust Model 


Users 


Routers R 



Probability of Compromise: c 



Adversary A 


Destinations 
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Trust Model 1: Limited Adversary 


Users 


Routers R 




Destinations 


Probability of Compromise: c 


Adversary A 
ACR, \A\<k 
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Trust Model 1: Limited Adversary 


Users 


Routers R 




Destinations 


Probability of Compromise: c 


Adversary A 
ACR, \A\<k 
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Trust Model 1: Limited Adversary 


Users 


Routers R 




Destinations 


Probability of Compromise: c 


Adversary A 
ACR, \A\<k 
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Basic User and Adversary Game 


. Router r, has trust t r An attempt to 
compromise a router succeeds with 
probability c, = 1 -f ; . 

. Users choose a distribution from which they 
will select paths. 

. Adversary attempts to compromise at most k 
routers, KQR. 

. After attempts, users actually choose paths. 


75 



Trust Model 2: Per-User Adversary 


Users 


Routers R 




Destinations 


Probability of Compromise: c 



Adversary A 
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Trust Model 2: Per-User Adversary 


User u 

Naive 
users N 



Routers R 




Destinations 


Probability of Compromise: c 



Adversary A u 

Adversary A N 
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Trust Model 2: Per-User Adversary 


Routers R 


User u 


Naive 
users N 








Destinations 








Probability of Compromise: c 



Adversary A u 

Adversary A N 
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Downhill Algorithm 


Key idea: Blend in with the naive users. 



1. Set path length / and trust levels A t to optimize anonymity 

metric. 
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Downhill Algorithm 


Key idea: Blend in with the naive users. 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 
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Downhill Algorithm 


Key idea: Blend in with the naive users. 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 
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Downhill Algorithm 


Key idea: Blend in with the naive users. 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 
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Downhill Algorithm 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 
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Downhill Algorithm 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 
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Downhill Algorithm 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 
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Downhill Algorithm 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 
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Downhill Algorithm 



1 . Set path length / and trust levels A 1 A , to optimize anonymity 

metric. 

2. For 1 < / < /, 

Randomly select among routers with trust > A , 

3. For each connection, 

Create circuit through selected routers to the destination. 
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Anonymity Analysis 

Metric: Posterior probability of actual source of a given 
connection. 


Expected anonymity 

Downhill 

Most trusted 

Random 

Lower bound 

Many @ medium trust 

0.0274 

0.2519 

0.1088 

0.01 

Many @ low trust 

0.0550 

0.1751 

0.4763 

0.001 
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Anonymity Analysis 

Metric: Posterior probability of actual source of a given 
connection. 


Expected anonymity 

Downhill 

Most trusted 

Random 

Lower bound 

Many @ medium trust 

0.0274 

0.2519 

0.1088 

0.01 

Many @ low trust 

0.0550 

0.1751 

0.4763 

0.001 


Scenario 1 : User has some limited information. 


c=.1 c= - 9 

1 l 10 routers 

1000 routers 
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Anonymity Analysis 

Metric: Posterior probability of actual source of a given 
connection. 


Expected anonymity 

Downhill 

Most trusted 

Random 

Lower bound 

Many @ medium trust 

0.0274 

0.2519 

0.1088 

0.01 

Many @ low trust 

0.0550 

0.1751 

0.4763 

0.001 


Scenario 2: User and friends run routers. Adversary is strong. 



c=.001 




c=.05 


5 routers 


50 routers 



1000 routers 
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Using Trust is first approach to 
protect traffic even if adversary 
owns a large chunk of the 
network. 

Not yet (or much) mentioned/future work: 

. Datagram transport 
. Links 

. Performance/congestion/throttling/incentives 
. Hidden services 
. Trust propagation 
. Better security models 



Questions? 
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